id: chanjet-tplus-unauth-passreset

info:
  name: Chanjet Tplus - Unauthorized Password Reset
  author: 0xr2r
  severity: high
  description: |
    There is an unauthorized administrator password modification vulnerability in UF Chanjet T+ RecoverPassword.aspx. An attacker can use this vulnerability to modify the administrator account password to log in to the backend.
  reference:
    - https://cn-sec.com/archives/1377207.html
    - https://www.chanjet.com
  metadata:
    verified: true
    max-request: 2
    fofa-query: app="畅捷通-TPlus"
  tags: tplus,unauth,chanjet

http:
  - method: GET
    path:
      - "{{BaseURL}}/tplus/ajaxpro/RecoverPassword,App_Web_recoverpassword.aspx.cdcab7d2.ashx?method={{randbase(6)}}"
      - "{{BaseURL}}/tplus/ajaxpro/RecoverPassword,App_Web_recoverpassword.aspx.cdcab7d2.ashx?method=SetNewPwd"

    matchers:
      - type: dsl
        dsl:
          - "contains(body_1, 'tplus”应用程序中的服务器错误')"
          - "!contains(body_2, '>请重新登录')"
        condition: and
# digest: 4b0a00483046022100f5eca808b032b287bc1bda01b729dea7c22ac33bd895e774b32d70a0061160ee022100f7a9bbeac4f5efd5971f5dee9b8dcde9d95fd07f0d03e3949d816b4146d5f8d0:922c64590222798bb761d5b6d8e72950